Security firm says increase in Tor usage is due to cyber criminal usage, not privacy-concerned users

Unfortunately for the Tor Project, its massive influx of new users[2] may not be due to a renewed interest in online privacy. According to Dutch security company Fox-IT, the big leap in Tor usage was actually due to cyber criminals using the service to hijack users’ home computers. Not exactly what you wanted to hear, I’m sure.

Before August 19th, an estimated 500,000 connections were being made to the Tor network. Within a week after that, that number ballooned to an astounding 1.5 million and continued to grow even after that.

Since what Tor does is attempt to mask the identity of users by rerouting their data through multiple computers that encrypt the data, it was assumed by many that most of the new users were either: people from countries with oppressive government authorities, or users grew increasingly worried about online privacy after the PRISM leaks. It made sense after all, but it was always a little strange that the massive spike came in August while the leaks occurred in early June.

Fox-IT, however, says that it traced that growing number of connections to a botnet, a network of computers that have been infected with malicious software then controlled without the owner’s knowledge. Cyber criminals often use botnets to steal information they can sell, send spam or even attack websites.

The security firm says that they have growing evidence that criminals using the Mevade.A or Sefnit botnet have started using Tor to control the infected computers. The geographical spread of infected computers on Sefnit was similar to that of those that recently joined Tor, and code that was being run on those PCs also showed that they had the latest version of Tor installed. As for what the botnet was actually being used for, Fox-IT says that it originates from a Russian-speaking region and is “likely motivated by direct or indirect financial-related crime.”

On the other hand, Tor itself says that it’s looking for ways to stop botnet controllers from using their network for malicious activity. They also added that Tor probably isn’t even the best method for these criminals to use:

“If you have a multi-million node botnet, it’s silly to try to hide it behind the 4,000-relay Tor network. These people should be using their botnet as a peer-to-peer anonymity system for itself.”